Troubleshooting Tip: Wi-Fi client is not receiving IP when connecting using a tunnel SSID with optional VLAN ID configured

mle2802 · ‎11-12-2024

Description

This article describes how to troubleshoot the issue with no IP lease when connecting to a tunnel SSID with an optional VLAN ID configured.

Scope

FortiGate and FortiAP.

Solution

On FortiGate, a tunnel SSID is configured to lease out DHCP.

tunnel ssid.png

From the 'Wi-Fi Clients' monitor, the device can be seen to be connected but there is no IP is leased out.

no ip.png
The following output is observed when running wireless client connection debug:

12901.345 ee:b1:82:63:8c:36 cwAcStaRbtAdd: I2C_STA_ADD insert sta ee:b1:82:63:8c:36 192.168.98.2/1/1/1
75054.354 ee:b1:82:63:8c:36 <eh> send 1/4 msg of 4-Way Handshake
75054.354 ee:b1:82:63:8c:36 <eh> send IEEE 802.1X ver=2 type=3 (EAPOL_KEY) data len=95 replay cnt 1
75054.354 ee:b1:82:63:8c:36 <eh> IEEE 802.1X (EAPOL 99B) ==> ee:b1:82:63:8c:36 ws (0-192.168.98.2:5246) rId 1 wId 1 e0:23:ff:14:60:a1
75054.357 ee:b1:82:63:8c:36 <eh> IEEE 802.1X (EAPOL 125B) <== ee:b1:82:63:8c:36 ws (0-192.168.98.2:5246) rId 1 wId 1 e0:23:ff:14:60:a1
75054.357 ee:b1:82:63:8c:36 <eh> recv IEEE 802.1X ver=1 type=3 (EAPOL_KEY) data len=117
75054.357 ee:b1:82:63:8c:36 <eh> recv EAPOL-Key 2/4 Pairwise replay cnt 1
75054.358 ee:b1:82:63:8c:36 <eh> send 3/4 msg of 4-Way Handshake
75054.358 ee:b1:82:63:8c:36 <eh> send IEEE 802.1X ver=2 type=3 (EAPOL_KEY) data len=151 replay cnt 2
75054.358 ee:b1:82:63:8c:36 <eh> IEEE 802.1X (EAPOL 155B) ==> ee:b1:82:63:8c:36 ws (0-192.168.98.2:5246) rId 1 wId 1 e0:23:ff:14:60:a1
75054.361 ee:b1:82:63:8c:36 <eh> IEEE 802.1X (EAPOL 103B) <== ee:b1:82:63:8c:36 ws (0-192.168.98.2:5246) rId 1 wId 1 e0:23:ff:14:60:a1
75054.361 ee:b1:82:63:8c:36 <eh> recv IEEE 802.1X ver=1 type=3 (EAPOL_KEY) data len=95
75054.362 ee:b1:82:63:8c:36 <eh> recv EAPOL-Key 4/4 Pairwise replay cnt 2
12901.362 ee:b1:82:63:8c:36 <dc> STA chg ee:b1:82:63:8c:36 vap Fortinet ws (0-192.168.98.2:5246) rId 1 wId 1 bssid e0:23:ff:14:60:a1 AUTH
12901.363 ee:b1:82:63:8c:36 <cc> STA chg ee:b1:82:63:8c:36 vap Fortinet ws (0-192.168.98.2:5246) rId 1 wId 1 e0:23:ff:14:60:a1 sec WPA2 PERSONAL auth 1 ******
12901.363 ee:b1:82:63:8c:36 <cc> STA_CFG_REQ(116) sta ee:b1:82:63:8c:36 add key (len=16) ==> ws (0-192.168.98.2:5246) rId 1 wId 1
12901.368 ee:b1:82:63:8c:36 <cc> STA_CFG_RESP(116) ee:b1:82:63:8c:36 <== ws (0-192.168.98.2:5246) rc 0 (Success)
75054.368 ee:b1:82:63:8c:36 <eh> ***pairwise key handshake completed*** (RSN)
12901.497 ee:b1:82:63:8c:36 <dc> DHCP Request server 0.0.0.0 <== host iPhone mac ee:b1:82:63:8c:36 ip 192.168.151.2 xId aa427427
12903.724 ee:b1:82:63:8c:36 <dc> DHCP Request server 0.0.0.0 <== host iPhone mac ee:b1:82:63:8c:36 ip 192.168.151.2 xId aa427427
12905.983 ee:b1:82:63:8c:36 <dc> DHCP Request server 0.0.0.0 <== host iPhone mac ee:b1:82:63:8c:36 ip 192.168.151.2 xId aa427427
12909.404 ee:b1:82:63:8c:36 <dc> DHCP Discover server 0.0.0.0 <== host iPhone mac ee:b1:82:63:8c:36 ip 0.0.0.0 xId aa427428

This indicates that authentication is completed but there is no DHCP response to the DHCP discover from client. Checking the SSID config shows that the 'optional VLAN ID' is set to 5 instead of 0 by default.

wrong option vlan.png
Change this to 0 and try to reconnect to the SSID:

right vlan.png

get ip.png

13393.924 ee:b1:82:63:8c:36 cwAcStaRbtAdd: I2C_STA_ADD insert sta ee:b1:82:63:8c:36 192.168.98.2/1/1/1
75545.927 ee:b1:82:63:8c:36 <eh> send 1/4 msg of 4-Way Handshake
75545.927 ee:b1:82:63:8c:36 <eh> send IEEE 802.1X ver=2 type=3 (EAPOL_KEY) data len=95 replay cnt 1
75545.927 ee:b1:82:63:8c:36 <eh> IEEE 802.1X (EAPOL 99B) ==> ee:b1:82:63:8c:36 ws (0-192.168.98.2:5246) rId 1 wId 1 e0:23:ff:14:60:a1
75545.931 ee:b1:82:63:8c:36 <eh> IEEE 802.1X (EAPOL 121B) <== ee:b1:82:63:8c:36 ws (0-192.168.98.2:5246) rId 1 wId 1 e0:23:ff:14:60:a1
75545.931 ee:b1:82:63:8c:36 <eh> recv IEEE 802.1X ver=1 type=3 (EAPOL_KEY) data len=117
75545.931 ee:b1:82:63:8c:36 <eh> recv EAPOL-Key 2/4 Pairwise replay cnt 1
75545.931 ee:b1:82:63:8c:36 <eh> send 3/4 msg of 4-Way Handshake
75545.931 ee:b1:82:63:8c:36 <eh> send IEEE 802.1X ver=2 type=3 (EAPOL_KEY) data len=151 replay cnt 2
75545.931 ee:b1:82:63:8c:36 <eh> IEEE 802.1X (EAPOL 155B) ==> ee:b1:82:63:8c:36 ws (0-192.168.98.2:5246) rId 1 wId 1 e0:23:ff:14:60:a1
75545.935 ee:b1:82:63:8c:36 <eh> IEEE 802.1X (EAPOL 99B) <== ee:b1:82:63:8c:36 ws (0-192.168.98.2:5246) rId 1 wId 1 e0:23:ff:14:60:a1
75545.935 ee:b1:82:63:8c:36 <eh> recv IEEE 802.1X ver=1 type=3 (EAPOL_KEY) data len=95
75545.935 ee:b1:82:63:8c:36 <eh> recv EAPOL-Key 4/4 Pairwise replay cnt 2
13393.936 ee:b1:82:63:8c:36 <dc> STA chg ee:b1:82:63:8c:36 vap Fortinet ws (0-192.168.98.2:5246) rId 1 wId 1 bssid e0:23:ff:14:60:a1 AUTH
13393.936 ee:b1:82:63:8c:36 <cc> STA chg ee:b1:82:63:8c:36 vap Fortinet ws (0-192.168.98.2:5246) rId 1 wId 1 e0:23:ff:14:60:a1 sec WPA2 PERSONAL auth 1 ******
13393.936 ee:b1:82:63:8c:36 <cc> STA_CFG_REQ(163) sta ee:b1:82:63:8c:36 add key (len=16) ==> ws (0-192.168.98.2:5246) rId 1 wId 1
13393.938 ee:b1:82:63:8c:36 <cc> STA_CFG_RESP(163) ee:b1:82:63:8c:36 <== ws (0-192.168.98.2:5246) rc 0 (Success)
75545.938 ee:b1:82:63:8c:36 <eh> ***pairwise key handshake completed*** (RSN)
13393.117 ee:b1:82:63:8c:36 <dc> DHCP Discover server 0.0.0.0 <== host iPhone mac ee:b1:82:63:8c:36 ip 0.0.0.0 xId aa427433
13394.131 ee:b1:82:63:8c:36 <dc> DHCP Offer server 192.168.151.1 ==> host mac ee:b1:82:63:8c:36 ip 192.168.151.2 mask 255.255.255.0 gw 192.168.151.1 xId aa427433
13395.256 ee:b1:82:63:8c:36 <dc> DHCP Request server 192.168.151.1 <== host iPhone mac ee:b1:82:63:8c:36 ip 192.168.151.2 xId aa427433
13395.258 ee:b1:82:63:8c:36 <dc> DHCP Ack server 192.168.151.1 ==> host mac ee:b1:82:63:8c:36 ip 192.168.151.2 mask 255.255.255.0 gw 192.168.151.1 xId aa427433

Troubleshooting Tip: Wi-Fi client is not receiving IP when connecting using a tunnel SSID with optional VLAN ID configured

You are leaving our website